where is the XAMPP session id cookie

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bowlesj
Forum Contributor
Posts: 179
Joined: Fri Jul 18, 2014 1:54 pm

where is the XAMPP session id cookie

Post by bowlesj »

Hi,

I have just completed the registration, login, profile portion of my website (local host only using XAMPP).
I am just reviewing the session security procedures.
In this web link https://wblinks.com/notes/secure-sessio ... ment-tips/ it suggested I remove the session ID cookie when I log the person off due to lack of user activity

The code for the user notice time out page is below. (the cookie delete is from the page above but I placed a comment in the code)

Code: Select all

<?php
session_start();
session_unset();
setcookie("sid","",1);  //I can't see why this would work since the cookie is on the client machine - should it not be javascript doing the delete of the cookie???)
session_destroy();
?>
I have tried a lot of things to find this file (obviously before the above page gets executed) but luck is not with me I guess. Where is it? (again I am using XAMPP).
By the way, I found the general google chrome cookie directory and it does not seem to be there based upon a date/time sort.

Thanks,
John
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: where is the XAMPP session id cookie

Post by Celauran »

You're right that cookies are stored client side. PHP sets cookies along with the rest of the HTTP headers.
bowlesj
Forum Contributor
Posts: 179
Joined: Fri Jul 18, 2014 1:54 pm

Re: where is the XAMPP session id cookie

Post by bowlesj »

Thanks Celauran, You got me thinking, I did a google search and found what you are talking about
http://php.net/manual/en/function.setcookie.php

So I guess my former impression that only HTML code gets to the client machine and that PHP only uses ONLY echo statements to build html code on the server side is not correct. In other words there is header info before the HTML and PHP can directly effect that. Okay, so that answers my comment question in the code I guess.


I found where one can look at the cookie at least.
https://code.google.com/p/procurement/w ... hSessionID
In Google Crome (after opening up a localhost page where the session is started and on that browser page)
**Press F12
**click the resources item at the top.
**expand cookies and select the http://www.whatever.com item on the list
**find the item on the right that says PHPSESHID
**double click on the value, right click copy, Your session ID is now in the clipboard.

I did what is said above. I found the session ID cookie in the display but the cookie delete statement does not seem to remove it. Its a mystery so far. I did notice that as I move through the web pages I have created the value inside the PHPSESSIONID does change (and I remember reading that it is probably encrypted which it appears to be) so maybe the command just changes the value and when the window is closed it removes the cookie (located in some mysterous location for security purposes). If that is what happens I have no problem with it just as long as I know it is automatic (unless each browser is different of course).

I have commented out the cookie timed delete statement until such time as I can prove it works.
Post Reply